In IIS 7 on Windows Server 2008, application pools can be run as the "ApplicationPoolIdentity" account instead of the NetworkService account.
How do I assign permissions to this "ApplicationPoolIdentity" account. It does not appear as a local user on the machine. It does not appear as a group anywhere. Nothing remotely like it appears anywhere. When I browse for local users, groups, and built-in accounts, it does not appear in the list, nor does anything similar appear in the list. What is going on?
I'm not the only one with this problem: see Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7 for an example.
"This is unfortunately a limitation of the object picker on Windows Server 2008/Windows Vista - as several people have discovered it already, you can still manipulate the ACL for the app-pool identity using command line tools like icacls."
Update: The original question was for Windows Server 2008, but the solution is easier for Windows Server 2008 R2 and Windows Server 2012 (and Windows 7 and 8). You can add the user through the NTFS UI by typing it in directly. The name is in the format of IIS APPPOOL\{app pool name}. For example: IIS APPPOOL\DefaultAppPool.
Note: Per comments below, there are two things to be aware of:
Reference to Microsoft Docs article: Application Pool Identities > Securing Resources
Original response: (for Windows Server 2008) This is a great feature, but as you mentioned it's not fully implemented yet. You can add the app pool identity from the command prompt with something like icacls, then you can manage it from the GUI. For example, run something like this from the command prompt:
Then, in Windows Explorer, go to the wwwroot folder and edit the security permissions. You will see what looks like a group (the group icon) called DefaultAppPool. You can now edit the permissions.
However, you don't need to use this at all. It's a bonus that you can use if you want. You can use the old way of creating a custom user per app pool and assigning the custom user to disk. That has full UI support.
This SID injection method is nice because it allows you to use a single user but fully isolate each site from each other without having to create unique users for each app pool. Pretty impressive, and it will be even better with UI support.
Note: If you are unable to find the application pool user, check to see if the Windows service called Application Host Helper Service is running. It's the service that maps application pool users to Windows accounts.
You have to make sure that the
From this locationfield is set to thelocal machineand not the domain.I had the same issue and once I changed that it worked fine.
You should really be creating groups per "role" and assigning that group accesses on the filesystem. Then add the app pool to the role-specific groups as necessary. This way even if you remove the app pool later (and the virtual user goes poof), you dont have to worry about redoing all the permissions, you just add the replacement app pool to the existing group.
After reading @Scott Forsyth - MVP answer I tried to restart the Application Host Helper Service. That solved the problem for me.
I was running WS8 R2 and I could not add
IIS APPPOOL\DefaultAppPoolvia Windows Explorer. The only way it worked was via command line:If this question is about how to execute _sp_send_dbmail in msdb database (using the SQL send Database Mail stored procedure in msdb), here is some work around. Add the .net application user name of your database (which is define on your connection string in your .net app) to the msdb user with "DatabaseMailUserRole" role membership